Archive

A common cry in Anonymous circles is ‘Free Jeremy Hammond; Fuck Sabu’. Jeremy Hammond is currently serving a ten-year prison sentence for his involvement in the Stratfor hack. Sabu (real name Hector Xavier Monsegur) will be sentenced tomorrow for his role in Lulzsec and many other hacks. He is expected, on FBI request, to walk free. The judge, in both cases, was and is judge Loretta Preska. Comparing and contrasting the behaviour of Hammond and Monsegur explains the Anonymous cry.

Sabu

Monsegur was the original founder of the original LulzSec hacking group, (in)famous for its ’50 days of lulz’ during the summer of 2011. Sabu was ‘outed’ and subsequently interviewed by the FBI. He rapidly (by the next day) agreed to cooperate; and has been cooperating ever since. There is some suggestion that the FBI pointed out that his two young nieces, for whom he is a foster parent, would have an uncertain future if he was incarcerated.

The extent of that cooperation is only just becoming clear, although it was always known to be extensive. Some of it borders on illegality, but is certainly immoral. The Stratfor hack was organized by Sabu at the behest of the FBI in order to entrap Jeremy Hammond – a member of Anonymous rather than Lulzsec but high, on the list of the FBI’s most wanted. It worked. It also, incidentally, ensnared Barret Brown who was arrested effectively for publishing a link to stolen Stratfor information; although his charges have now largely been dropped.

Sabu’s cooperation also led to the unmasking and arrest of the other members of LulzSec: 2 in the UK, 2 in Ireland and one in the US. It seems clear that he also tried to implicate and entrap many others; including, for example, Jacob Appelbaum.

Jacob Appelbaum tweeting on Saturday

He also cooperated with the government, using Hammond, to enable it to hack foreign websites. Hammond’s attorneys wrote to judge Preska last month:

Hammond’s own behaviour has been in direct contrast. After his arrest he decided to fight the charges. Eventually, however, he gave up and accepted a plea deal with the government. Almost exactly one year ago he announced,

Today I pleaded guilty to one count of violating the Computer Fraud and Abuse Act. This was a very difficult decision. I hope this statement will explain my reasoning. I believe in the power of the truth. In keeping with that, I do not want to hide what I did or to shy away from my actions. This non-cooperating plea agreement frees me to tell the world what I did and why, without exposing any tactics or information to the government and without jeopardizing the lives and well-being of other activists on and offline.Statement from Jeremy Hammond regarding his plea

Jeremy Hammond(Associated Press)

His reasoning was not that he thought he would lose the case, but that the FBI would simply press similar charges elsewhere. “The process might have repeated indefinitely,” he said.

I have already spent 15 months in prison. For several weeks of that time I have been held in solitary confinement. I have been denied visits and phone calls with my family and friends. This plea agreement spares me, my family, and my community a repeat of this grinding process.

The key sentence in this announcement is, “This non-cooperating plea agreement frees me to tell the world what I did and why, without exposing any tactics or information to the government and without jeopardizing the lives and well-being of other activists on and offline.” So while Sabu cooperated with the FBI and will most likely walk free tomorrow, Hammond refused to cooperate and took a ten-year sentence. That, basically, is why the call is ‘Free Jeremy Hammond; Fuck Sabu.’

Tomorrow, 27th May 2014 at 11 am, Judge Preska will pronounce sentence on Sabu. In theory he faces a sentence of between 259 and 317 months for the crimes he as admitted. But, says the FBI in its pre-sentencing submission to Judge Preska,

He has, during the three years of his cooperation with the FBI, served seven months in prison. Judge Preska is expected to follow the FBI request and sentence him to seven months – allowing him to walk free.

We will update this post tomorrow with details of judge Preska’s sentence.

Update

The much delayed sentencing of former LulzSec hacker-turned-FBI informant Hector “Sabu” Monsegur finally took place on Tuesday, when he received time served plus one year of supervised release with computer logging.Ars Technica

Barrett Brown was indicted last week on 12 new counts. The first was “Traffic in Stolen Authentication Features.” These authentication features (belonging to credit card numbers) were lifted from Stratfor by LulzSec/AntiSec around Christmas last year.

Brown is not accused of being a member of LulzSec or AntiSec.

Brown is not accused of being involved in the Stratfor hack.

Brown is not accused of making fraudulent use of the credit card details.

He is accused that

On or about December 25, 2011, in the Dallas Division of the Northern District of Texas and elsewhere, defendant Barrett Lancaster Brown, aided and abetted by persons known and unknown to the Grand Jury, in affecting interstate commerce, did knowingly traffic in more than five authentication features knowing that such features were stolen and produced without lawful authority, in that Brown transferred the hyperlink “http://wikisend.com/download/597646/stratfor_full_b.txt.gz” from the Internet Relay Chat (IRC) channel called “#Anonops” to an IRC channel under Brown’s control called “#ProjectPM,” said hyperlink provided access to data stolen from the company Stratfor Global Intelligence, to include 5,000 credit account numbers, the card holders’ identification, and the authentication features for the credit cards known as the Card Verification Values (CVV), and by transferring and posting the hyperlink, Brown caused the data to be made available to other persons online without the knowledge and authorization of Stratfor Global Intelligence and the card holders.

In other words, Barrett Brown has been indicted for posting a link on the internet. He did nothing more than that. That’s more than a bit worrying. Is the FBI going to come after anyone posting a link to a file containing information it doesn’t wish to be public? What does that do to the freedom of the press?

But that link for which Brown has been indicted has been made public by the indictment. Now I believe I am outside of the FBI’s jurisdiction (McKinnon and O’Dwyer and indeed Assange may think differently), but the signatories to the indictment are not. Candina S Heath (Assistant United States Attorney, Northern District of Texas) has her name printed. The others I cannot decipher:

Signatories to Barrett Brown’s second indictment

In the interest of justice, then, I confidently await at least three new indictments with almost exactly the same wording as Brown’s, naming three new defendants who, by making public the same hyperlink, “caused the data to be made available to other persons online without the knowledge and authorization of Stratfor Global Intelligence and the card holders.” Unless, of course, every single one of the 5000 cardholders (and for that matter every single Stratfor client mentioned in the leaked file) has given explicit consent for the disclosure…

But before saying anything else, I should stress that I am taking this tweet and the TechWeekEurope report on Josh Corman’s RSA 2012 comments at face value. I cannot personally corroborate either.

Firstly, the idea that being ‘kind’ yesterday should excuse being ‘unkind’ today seems strange. Corman’s latest reported comments are not capable of being misconstrued:

Anonymous has very few hackers, it has very few activists… It is very misleading to call the groups hacktivists. The common attribute is angst. The talented ones are either quitting or starting to do things that are more clandestine.

If accurate, the purpose of these sentiments can only be to belittle and perhaps ridicule Anonymous. The reality is, ridicule and disinformation are Authority’s most effective weapons against Anonymous. This explains why Anonymous questioned his motives.

But this is not what intrigues me most about Carr’s tweet. It is the comment, “trying to help Anonymous become a more effective org”. It is a fundamental contradiction in terms that displays a basic misunderstanding of Anonymous. In fact, I would go further. If someone really does understand Anonymous and tries to help it become a more effective organization, then that person has an ulterior motive and is actually trying to weaken Anonymous.

Anonymous is not an organization. Its strength is that it is not an organization. In fact I suggest that its survival depends upon it never becoming an organization. Organizations have structures. Structures have hierarchies. Hierarchies have heads – and heads can be beheaded.

Think of LulzSec. It was taken apart because it had at least a nominal head in Sabu. By first taking Sabu, the FBI was able to destroy LulzSec. It also explains why the US is expending so much effort on getting Assange – by attacking the structure of Wikileaks it will ultimately destroy Wikileaks. So long as Assange is a primary focal point for Wikileaks, Wikileaks has a weakness. But by having no structure, Anonymous becomes a Hydra.

I don’t know whether any such thinking exists within the Anonymous movement. I suspect the ‘official’ line is that it is governed by its own ‘collective consciousness’. On one level this is a weakness because it allows different factions to act out their own predilections in the name of Anonymous. The collective (not the organization) cannot denounce these acts because it would deny the principle of collective consciousness. As a result, winning the hearts and minds of the unaligned public becomes difficult and highly susceptible to ridicule and accusations of terrorism.

But it does have one huge strength. The mere fact that Anonymous exists is a testament to increasing worldwide discontent with the political and social status quo. As this discontent, illustrated by the Occupy Movement, continues to grow, so Anonymous will continue to strengthen. Becoming ‘organized’ will provide a weakness that the authorities will exploit. So it must continue with its disorganized and decentralised lack of structure. It will make the battle longer; but it is the only way it can win. Organizing itself will destroy itself.

A simple glance around the contemporary threatscape shows that cyberwar is getting increasingly confused and complicated: confusticated, in fact. Nation states are (allegedly) attacking nation states; criminals are attacking infrastructures; nation states are (allegedly) controlling criminals; criminals are attacking the people; and the people are rebelling against their governments.

Let’s start at the top: state-sponsored cyber attacks. It came to the surface with Aurora two years ago – and incidentally, the gang behind it, whether state- (for which read ‘China’) sponsored or not, is still active – blossomed with Stuxnet and Duqu and went into overdrive with Flame and Wiper. The last four are all (allegedly) part of a US/Israeli campaign against Iran; and this is not cyber-espionage, this is pure war.

The thing about Wiper is that it is destructive. It attempts to be – and succeeds in being – a new form of ‘stealth’: it self-destructs to avoid being taken alive. And as far as is known, there is still no live Wiper in captivity. First, as far as we understand, it steals data; then it destroys data; and then it kills itself.

After Wiper we had Shamoon, and this is where things start to get complicated. Shamoon seems to be a poor copy of Wiper, and is believed to have been used to attack the Saudi oil company, Aramco – and possibly the Qatari energy company RasGas two weeks later. Now we are in the land of conjecture. Shamoon could have been designed and used by traditional criminals; but that idea doesn’t quite hang together.

Another theory points the finger at Iran. Shamoon, it suggests, is an Iranian retaliatory strike following Stuxnet and Flame; and targeting Aramco because of the Saudi promise to increase oil production to offset the effect of sanctions against Iranian oil. This theory suggests that since Iran was the primary target of Wiper, it more than any other source would be well-positioned to develop a copy – and indeed Shamoon does appear to be a poor copy of Wiper.

This political theory of Shamoon is supported internally by the malware itself. Part of its data wiping process is to use a fragment of a JPG file. That picture has now been recognised: it is a picture of a burning US flag. What we don’t know is whether Shamoon is state-produced in the same way as Stuxnet, Flame and Wiper; or whether it is produced by criminals ‘encouraged’ by the state. Incidentally, we are in exactly the same position with Aurora. The gang behind Aurora, called the Elderwood gang by Symantec, is still very active and still targeting primarily US defense companies. Is it China or Chinese criminals or Chinese criminals ‘encouraged’ by China?

The simple fact is the confustication of modern cyberwarfare means we neither know nor are likely to know the answers to these questions: plausible deniability lies at the heart of all cyber criminality.

Now let’s consider hacktivism, the ‘civil war’, or just civil rebellion part of cyberwarfare – Wat Tyler Vs the king. Anonymous is the seminal hacktivist – but not the only actor. Since the demise of LulzSec, Anonymous has largely undertaken its protest through DDoS (not entirely, since it was involved in first stealing huge volumes of Iraqi emails, and then leaking them to WikiLeaks). But now it has been ‘joined’ by NullCrew, adding to the hacking power of AntiSec. AntiSec may be mainstream Anonymous; but NullCrew is separate. It just has similar sympathies, and many of its recent hacks have been performed in the name of the Anonymous-led and politically motivated #OpFreeAssange.

Both AntiSec and NullCrew are seriously ‘talented’ hackers. AntiSec recently stole a large number of Apple UDIDs from either the FBI or BlueToad, depending on who you believe. Null Crew hacked a Cambodian Army site, Logica, Cambridge University, the European Space Agency and more and more. 0x00x00, perhaps a member of NullCrew, perhaps not, has undertaken his own Assange campaign, breaking into numerous websites and leaving an Assange poster calling-card.

But while we’re talking about hacktivism, let’s not forget that the king has his own men – the FBI (and SOCA) acting within the king’s law, and Jester – that ‘hacktivist for good’ – acting outside of it. The latter recently took on and took out a well-respected site, Cryptocomb, in what Cryptocomb openly described as a ‘state-sponsored’ attack. Now, if this isn’t confusticating enough, there is even a civil war within the rebels. One faction has been calling for a more organised Anonymous with a supreme council directing operations – only to be slapped down by the existing Supreme Council of One, Commander X. There will be no Supreme Council for at least as long as Commander X remains in charge (which, of course, he is not, other than by general consensus). Confused yet?

Well let’s summarize. There is a legal cyberwar being fought by the US and Israel (and if you believe the cyber-underground, the UK was involved – shortly before his very strange death, it is claimed that Mr Williams had been commuting between GCHQ and the NSA, and had just started talking about whistleblowing on something; all just before Stuxnet exploded. AntiSec claims on Pastebin, “And then you have Gareth Williams (31), the GCHQ hacker murdered and ‘bagged’ inside a MI6’s ‘safe’ house (we’d hate to see what the unsafe ones look like) in August of 2010 after talking about being curious about leaking something to Wikileaks with fellow hackers on irc.”

Then there is an illegal war of retaliation being fought by Iran, together with old-fashioned cyberespionage from China. And finally, the war against terror has spread to the battle against Anonymous (always classified as cyberterrorists, and therefore within the purview of the war on terror, by the king’s men) in an attempt to quell the cyber rebellion.

But – and we have to stress this – it is all conjecture, allegation and confustication. The problem is, we haven’t mentioned that primary weapon of all warfare used by all antagonists against all enemies: disinformation. And all sides are very good at it.

John Young is one of my heroes. In many ways he is the prototype WikiLeaks – less showy, less flamboyant, but as honest as a summer’s day in the Arctic is long. He’s like an old-fashioned editor before the money-men took over: publish and be damned, so long as it is true.

Jester is a pain in the backside. Jester is a self-righteous, self-proclaimed, self-promoting hacktivist for good.

Jester doesn’t seem to like the truth. He doesn’t seem to like government sins made public. He seems to think that American and other allied soldiers are fighting and dying in Afghanistan and other theatres of war to protect the western politicians, regardless of how corrupt, or deceitful they may be. He seems to want to be the arbiter of what we are allowed to know. In short, he wants to defend a way of life that isn’t worth defending.

Needless to say, Jester doesn’t like John Young or his websites. He says that Cryptocomb leaked to Fox News the true name of the Navy SEAL who has authored a book due to be published next month on the killing of Osama bin Laden. Cryptocomb says, “The suggestion that Cryptocomb leaked a story to Fox News is simply crazy.” One is an inveterate liar and self-aggrandizing distorter of the truth, and the other is Cryptocomb. The Fox News story, incidentally, is here: Fox News Outs The Navy SEAL Who Wrote An Anonymous Book On The Bin Laden Raid.

But, true to character, Jester took the law into his own self-righteous hands and launched a successful denial of service attack on Cryptocomb. He tweeted:

Jester claims and justifies attack

A quick check on Cryptocomb did indeed show problems:

Tango down Cryptocomb

I’ll come back to that comment later. But then Jester tweets:

Jester claims victory

and Cryptocomb is back up. The only indication of any removed file from Cryptocomb that I can find is “th3j35t3r takes down Cryptocomb”. It’s gone. Can’t even find it on Google cache. Lucky I took a quick, sadly partial screenshot earlier:

file removed from Cryptocomb

I cannot be certain that this is the file that Jester refers to. It looks possible, and could be used to justify his second tweet; but it’s certainly not a file leaking a SEAL name to Fox News. Is this a victory for Jester? Well he’d certainly like us to think so; but it’s pretty meaningless either way since Cryptocomb still links to the full Fox News expose.

Let’s go back to Cryptocomb’s earlier comment. State sponsored attack? Well I’ve often wondered. Earlier today in the UK it became known that an arrested Facebook troll is actually a serving policeman. The victim commented, “When [Olympic diver] Tom Daley was trolled, within 24 hours someone was traced and arrested.” For her it took nine months and a high court judgement. On Tuesday the FBI arrested at least the ninth alleged member/associate of LulzSec. It seems self-evident that when law enforcement decides it wants or need to catch someone, it can and will. Consequently, it’s impossible to avoid the conclusion that the FBI is turning a blind eye to the antics of Jester. And if that’s the case, no amount of plausible deniability can change the fact that this was indeed a state sponsored attack by collusion if not direction.

By way of introduction I will start by pointing to two stories I did for Infosecurity Magazine. The first is Bieber Hackers and the Anonymous image problem (7 June 2012), in which I argue that Anonymous will lose the battle for hearts and minds because the general public cannot distinguish between the unprincipled hangers-on (like UGNazi) and the politically motivated Anonymous-proper.

The second story was last week: WikiLeaks starts to publish Syrian emails (6 July 2012). This story introduces the Syria Files, the start of WikiLeaks’ publication of 2.4 million Syrian emails; and I mention that I had been told by Anonymous that the documents had come from their OpSyria campaign.

Between these two articles, Anonymous published its own paper called ‘Operation Rebuild the Hive’. It recognizes some of the image problems:

Anonymous has shown its weak point, EACH OTHER. We have let the world see we can be easily deterred from our main goals by simply turning on each other. Not only have long time friends become enemies, but also we have steered possible New Blood from wanting to join. Do not forget where we come from, Do Not forget why we fight, Do not forget the people who we have helped along the lines. We as a collective must Regroup, Rethink our strategies, and REBUILD not only each other, but ourselves.Operation Rebuild the Hive

How? Well, much is what you would expect. By supporting newcomers and keeping them safe; by loving one another; by discussing new operations and agreeing them before executing them. But there is another theme that runs through the proposals: Anonymous should be Anonymous – full stop. Everyone should change their Twitter display names to Anonymous “so we can all be one, and not just an individual.” Operations and defacements should “Display the name Anonymous, so that we as a hive can stand out and not just a crew.” And, “we move as ONE. Do not let yours or someone else’s ego get in the way of who and what we are.”

If this approach were adopted, then a major structural problem within Anonymous would be eliminated. If UGNazi, or any other crew, wants to call itself UGNazi – or any other name – it is by definition NOT Anonymous.

But then, later in the day of my second article, Anonymous publicly claimed responsibility for the Syria Files. Its announcement starts with a bit of a put down to my little article in Infosecurity: “there seems to be one very obvious question that no one is asking. Where exactly did WikiLeaks get all these E-Mails? This press release is written and addressed to the media and the world to answer this important un-asked question.” Um, er, actually, I did ask…

However, my bruised ego aside, it continues

On February 5, 2012 at approx. 4:00 PM ET USA an Anonymous Op Syria team consisting of elements drawn from Anonymous Syria, AntiSec (now known as the reformed LulzSec) and the Peoples Liberation Front succeeded in creating a massive breach of multiple domains and dozens of servers inside Syria. This team had been working day and night in shifts for weeks to accomplish this feat. So large was the data available to be taken, and so great was the danger of detection (especially for the members of Anonymous Syria, many of whom are “in country”) that the downloading of this data took several additional weeks.Anonymous Operation Syria – Press Release

This shows that the lesson hinted at in the Rebuild document has not gone home. Anonymous still talks about AntiSec and LulzSec and Anonymous Syria. The problem is that anybody can claim to be AntiSec or LulzSec or Anonymous Isle of Wight. Surely one small start in protecting the Anonymous image would be the elimination of all crews. If some bieber hacking group calling itself Cr3wP01s0n then claims the kudos and protection of acting in the name of Anonymous in taking down some village charity shop, the world would know, this is not Anonymous.

Anonymous still has much to do before it wins the battle for hearts and minds. And it is a battle it must win if it is to succeed. Anonymous must be seen to be what it really is: a force for the people; not a just bunch of script kiddies out for the lulz.

TheWikiBoat’s OpNewSon, which commenced at midnight on Friday 25th May, falls somewhere between a fail and an abject fail.

It was announced on 11 April. “On the day of the operation, we plan to hit and attack several high corporate entities,” said TheWikiBoat. “Those targets are none other then the ones who ultimately rule: the high revenue making companies of the world.” The attack would be multi-phased: first a DDoS followed by a hack resulting in the leak of “highly classified data from the targets”.

Somehow, this description grew into an attack on 46 major global companies, including Bank Of America, Apple, Wal-Mart, Tesco and others. I can find no source for this, so it could either be journalistic licence or a passing comment on an IRC channel. I did a preview of OpNewSon on Infosecurity Magazine: TheWikiBoat’s OpNewSon fires today.

But OpNewSon never matched its claims. In the event, it seems that only one site, BethBlog, was attacked with debatable success. BethBlog is the online home of Bethesda Software, a game developer and publisher and not of “the ones who ultimately rule”. In security terms it would be classified a soft target.

So what do we make of TheWikiBoat now? Is it a group of wannabees looking for the notoriety of LulzSec and the fame of Anonymous, but with more chutzpah than skill? That is bound to be the first reaction, and it may well be right. It may also be wrong.

TheWikiBoat seems to be blaming VoxAnon for pulling the IRC channel and effectively leaving the wiki boat without a rudder. Given the global nature of its members and the many different time zones involved, it became impossible to focus the fire power. Could be. Or it could be the group just didn’t get the LOIC critical mass; it could be they didn’t have the fire power to focus.

Either way, you cannot imagine either Anonymous or LulzSec making such a mess of such a well publicised plan. Personally, I hope TheWikiBoat disbands. If they have skills, then they should use their skills for good. Lulz for lulz sake is just childish. And if they are wannabees, they should simply grow up. There is already too much wrong in this world to add to it.